Create a folder on the Server where only the CEOs have access AND all Administrative users don't have access and are unable to get back the access to this folder.

I tried the following:

Win 2008R2 DC and Fileserver

In NTFS-settings on the Folder: Deny all for System (make sure that all special things like taking rights are also restricted), then make the CEO-Group the owner and give them Fullaccess, at last I denied all for Administrators and Domain-Admin group (make sure that all special things like taking rights are also restricted), no other Groups are listed.

Now I as Administrator can't get on the Folder and am unable to give me rights back.

Can someone verify if this a secure way for the Task, or are there other ways for Administrators to get on this Folder, beside of reseting passwords (wich the CEO will see when he tries to logg on again) or sniffing network for password hashes.

Also they wanted as optional special extra, that they can only delete files when 2 CEOs verify it (4 Eye Princip) but I think such thinks can only be done with special software and a Database.

Matthew could be on the best track here but use Windows EFS to encrypt the folder / files for the CEOs, by adding each CEO's certificate to the folder EFS settings. That way only they will be able to access those files, while hopefully still allowing Administrator to have NTFS permissions & the ability to backup.

The ability to use EFS to encrypt files for more than one user is underrated and underused in my experience

I just thought that it would also be better not to use the CEO Group and put all CEOs separatly on the access list, so that if another Administrator puts his user account in the Group he will also not see the content.

I just thought that it would also be better not to use the CEO Group and put all CEOs separatly on the access list, so that if another Administrator puts his user account in the Group he will also not see the content.

Assigning the CEO's explicit permission individually is not good practice

Better using a deny permission to all IT users & administrators

With Auditing of AD operations switched on then you will have the evidence trail if any operator was to add an account to the CEO group

Of course the backup is a Problem and I also personaly would like it more if an admin could have access there for backup, but they don't want it. So I have to make them responsable thereselfs for the Backup of this Folder.
All of them have Big-USB Sticks with Truecrypt-Saves and they know how to use it.

Mark's method of enabling auditing is the way to go here. Even if you lock out an admin in the NTFS permissions by being an admin they will have rights to take ownership and then change permissions however they want. However if this leaves an audit trail if an admin does this they will be caught and can be handled as a personnel issue. Make sure there is a process in place to periodically review the audit data.

In NTFS-settings on the Folder: Deny all for System (make sure that all special things like taking rights are also restricted), then make the CEO-Group the owner and give them Fullaccess, at last I denied all for Administrators and Domain-Admin group (make sure that all special things like taking rights are also restricted), no other Groups are listed.

Now I as Administrator can't get on the Folder and am unable to give me rights back.

1st Post

Perhaps a TrueCrypt volume stored on the server would work. This way you could let the CEO's set the password and no one else could gain access. Only downfall is multiple users couldn't mount the same TrueCrypt volume at once.

Matthew could be on the best track here but use Windows EFS to encrypt the folder / files for the CEOs, by adding each CEO's certificate to the folder EFS settings. That way only they will be able to access those files, while hopefully still allowing Administrator to have NTFS permissions & the ability to backup.

The ability to use EFS to encrypt files for more than one user is underrated and underused in my experience

Matthew could be on the best track here but use Windows EFS to encrypt the folder / files for the CEOs, by adding each CEO's certificate to the folder EFS settings. That way only they will be able to access those files, while hopefully still allowing Administrator to have NTFS permissions & the ability to backup.

The ability to use EFS to encrypt files for more than one user is underrated and underused in my experience

It's an old post, just saw it, but I cannot agree more, this will do the trick and provide real protection against "superusers". However I would still recommend to enable auditing to have full record of what was encrypted and when (e.g. in case someone accidentally or intentionally decrypts the files).

0

This topic has been locked by an administrator and is no longer open for commenting.